Am 21.10.2012 08:39, schrieb Mark Pröhl: > Am 21.10.2012 00:21, schrieb Berthold Cogel: >> Am 19.10.2012 20:02, schrieb Mark Pröhl: >>> Hi, >>> >>> is there any difference in the output of the following two search >>> requests? >>> >>> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ >>> -b ou=People,dc=uni-koeln,dc=de \ >>> >>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >>> >>> >>> >>> >>> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ >>> -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \ >>> >>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >>> >>> >>> >>> Regards, >>> >>> Mark >>> >>> >>> Am 19.10.2012 16:05, schrieb Berthold Cogel: >>>> Hello! >>>> >>>> I've configured kerberos with an LDAP backend and I'm now trying to >>>> fill >>>> it with users. >>>> >>>> System: RHEL5 >>>> Kerberos: 1.6.1-70.el5 (MIT) >>>> LDAP: openldap-ltb-2.4.28-1.el5 >>>> >>>> Kerberos is talking to the local LDAP via LDAPI. >>>> >>>> The setup is working for all principals in the kerberos container. I >>>> can >>>> do a kinit an get a ticket... >>>> I also did an >>>> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees >>>> ou=people,dc=uni-koeln,dc=de >>>> >>>> I did an ldapadd for some testusers followed by an addprinc for each >>>> testuser. A listprincs shows the principals of these testusers. >>>> >>>> But when I try to do a kinit I get this: >>>> >>>> kinit a0537 >>>> kinit(v5): Client not found in Kerberos database while getting initial >>>> credentials >>>> >>>> This happens for each principal in the ou=People. >>>> >>>> The ldapsearch with the first part of the krb5 request in the LDAP log >>>> shows this: >>>> >>>> ldapsearch -x -ZZ -H ldap://... -D cn=... -W >>>> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >>>> >>>> >>>> scope=2 deref=0 >>>> Enter LDAP Password: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <> with scope subtree >>>> # filter: >>>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) >>>> >>>> >>>> # requesting: scope=2 deref=0 >>>> # >>>> >>>> # a0537, People, uni-koeln.de >>>> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de >>>> >>>> # search result >>>> search: 3 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> >>>> So the principal is in the tree. The complete krb5 request in the LDAP >>>> log looks like this: >>>> >>>> >>>> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi >>>> (PATH=/var/run/ldapi) >>>> slapd[9882]: conn=230710 op=0 BIND >>>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128 >>>> slapd[9882]: conn=230710 op=0 BIND >>>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0 >>>> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text= >>>> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de" >>>> scope=2 deref=0 >>>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >>>> >>>> >>>> >>>> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass >>>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >>>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled >>>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >>>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >>>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >>>> krbExtraData krbObjectReferences >>>> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 >>>> text= >>>> slapd[9882]: conn=230710 op=2 SRCH >>>> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2 >>>> deref=0 >>>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >>>> >>>> >>>> >>>> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass >>>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >>>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled >>>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >>>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >>>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >>>> krbExtraData krbObjectReferences >>>> >>>> >>>> I don't understand what is happening. And I don't know, where to look. >>>> >>>> >>>> Regards >>>> >>>> Berthold Cogel >>>> ________________________________________________ >>>> Kerberos mailing list [email protected] >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >>> >> >> What I get is this: >> >> >> ldapsearch -Y EXTERNAL -H ldapi:// -b ou=People,dc=uni-koeln,dc=de >> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >> >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=People,dc=uni-koeln,dc=de> with scope subtree >> # filter: >> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) >> >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 0 Success >> >> >> >> >> ldapsearch -Y EXTERNAL -H ldapi:// -b >> cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de >> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >> >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope >> subtree >> # filter: >> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) >> >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 32 No such object >> >> # numResponses: 1 >> >> >> Regards >> >> Berthold >> > > sorry, i missed that MIT is not using SASL/EXTERNAL. Please try again with > > root@kdc # ldapsearch -x -D <BIND_DN> -W -H ldapi:// -b > ou=People,dc=uni-koeln,dc=de > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_1>@RRZ.UNI-KOELN.DE))' > > > root@kdc # ldapsearch -x -D <BIND_DN> -W -H ldapi:// -b > cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_2>@RRZ.UNI-KOELN.DE))' > > > - Replace <BIND_DN> by the value of ldap_kdc_dn from your > kdc.conf (or krb5.conf) > > - Replace <USER_1> by a kerberos principal entry that is > stored below ou=People > > - Replace <USER_2> by a kerberos principal entry that is > stored below cn=RRZ.UNI KOELN.DE,ou=Kerberos > > > Do these LDAP searches result in different attribute sets? > > Regards, > > Mark Pröhl > >
There are additional attributes for the ou=People. At the moment we're still using NIS and AFS on our linux systems. I want the LDAP to provide a NIS replacement and authenticate via AFS and/or KRB5 so I can gradually move our systems to KRB5. AFS, KRB5 and LDAP will be provisioned from an identity management system in the near future and I'm trying to provide the infrastructure for our systems. ldapsearch -x -D xxxxxx -W -H ldapi:// -b ou=People,dc=uni-koeln,dc=de '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=People,dc=uni-koeln,dc=de> with scope subtree # filter: (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) # requesting: ALL # # a0537, People, uni-koeln.de dn: uid=a0537,ou=People,dc=uni-koeln,dc=de uidNumber: .... givenName: Berthold uid: a0537 employeeType: active sn: Cogel gidNumber: ... cn: Berthold Cogel mail: a0537 homeDirectory: /afs/... objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: posixAccount objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux userPassword:: .... krbPrincipalName: [email protected] krbPwdPolicyReference: cn=default,cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln ,dc=de krbPrincipalKey:: ... krbLastPwdChange: 20121019122736Z krbExtraData:: .... # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ldapsearch -x -D xxxxxx -W -H ldapi:// -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope subtree # filter: (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) # requesting: ALL # # [email protected], RRZ.UNI-KOELN.DE, Kerberos, uni-koeln.de dn: [email protected],cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=u ni-koeln,dc=de krbPrincipalName: [email protected] krbPrincipalKey:: .... krbLastPwdChange: 20120529092551Z objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux krbPwdPolicyReference: cn=default,cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln ,dc=de krbExtraData:: ... # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Regards Berthold ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
